We Told You So: OPM Data Breach Reveals Not Only Lame Security But Weak Legal Protections—And It’s Time To Revisit Both

Over 21 million Americans have just had a taste of the federal government's weak computer security. The recent U.S. Office of Personnel Management (OPM) data breach exposed an estimated 21.5 million records, including the highly invasive SF-85, SF-85P, and SF-86 questionnaires used for background checks, through which the government collected sensitive, personal information about mental and emotional health, illegal drug use, alcohol abuse, personal finances, police records, involvement in non-criminal court actions, divorces and association with organizations advocating violence. The records include not only information about actual and prospective government employees, but also contractors, consultants, and others.

In 2010, EFF recognized the risk of data breaches and warned the U.S. Supreme Court of the possible weaknesses in the legal regime protecting this information. The case was NASA v. Nelson, brought by several NASA contract employees opposing the agency’s institution of invasive background checks for “low-risk” positions in 2007. Our amicus brief warned of “NASA’s collection and inadequate protection of vast amounts of personal information,” and pointed out that the Privacy Act gave no recourse for those whose data is released due to governmental negligence.

Nevertheless, the U.S. Supreme Court upheld NASA’s intrusive screening requirement. It brushed off our concerns about the possibility of injury from a data breach by stating that the “mere possibility” that security measures will fail did not provide grounds to challenge the government collection of information for background checks.

Ironically, the unnecessary background checks in Nelson were justified by the need to meet the Personal Identity Verification (PIV) authentication standard—but lack of user authentication was arguably the worst security fail at OPM. “[N]one of the agency’s 47 major applications require PIV authentication,” the OPM's Office of the Inspector General reported.

Now that this gigantic data breach has occurred, including of course the exposure of much sensitive information about members of the judiciary, we wonder if the Supreme Court still feels the same way, and whether it would be so dismissive of our concerns. It’s clear that this leak wasn’t just a one-off: since 2010, government agencies have experienced more than 300 breaches, resulting in the exposure of around 45 million records. In 2012, NASA itself suffered a breach exposing sensitive personal data for thousands of employees. This year, OPM’s data breach is not only the largest breach in the federal government, but the largest nationwide. Breaches at government agencies have become so frequent that the question is not whether an employee’s data will be exposed but when.

Of course security concerns aren’t the only problem with the now-widespread use of invasive governmental background checks. As we call for better security over what the government must collect, we also think it’s time to revisit what information the government is gathering, about whom and how long it is being kept—issues we also addressed in the Nelson case.

Then, as now, we argued that employee screening procedures may violate employees’ privacy in two ways. First, government employees have a right to informational privacy. According to the Supreme Court’s decision in Whalen v. Roe, this constitutional right upholds an individual’s interest in avoiding disclosure of personal matters. Second, in NAACP v. Patterson, the Supreme Court upheld citizens’ rights to associational privacy—the right of an individual to have privacy in their groups, memberships, and political affiliations. The Supreme Court further held in Shelton v. Tucker that mandating teachers to list their affiliated organizations violated this right because it permitted the school to probe “every conceivable kind of associational tie.” Those arguments weren’t accepted by the Nelson Court, but they may have more resonance today.

Recently, two unions representing federal employees—the National Treasury Employees Union (NTEU) and the American Federation of Government Employees (AFGE)—have filed suit against OPM for failing to protect employee information. NTEU alleges that OPM’s collection violates a constitutional right of privacy and seeks to enjoin OPM from collecting further employee information until appropriate safeguards are implemented. The AFGE filed a class action lawsuit on behalf of all breach victims asserting OPM’s failure to comply with federal security requirements.

We hope that the courts in these cases will be receptive to plaintiffs’ concerns about the government’s abject failure to secure their data. Once exposed, personal data can be used to harm victims for decades and, as one victim observed,"to know that sensitive personal issues were treated so casually by my government is painful in its own right." Individuals should be able to assert their constitutional right of privacy against unnecessary, overbroad, and privacy-invasive data collection. If the data’s not collected and stored, it can’t be exposed or attacked. Equally important, courts must recognize that the words of the Privacy Act or other statutes are just that—words. It takes facts to assess whether agencies are safeguarding our privacy and security.

Related Updates

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen...

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic...

The White House endorsed the bill even before it passed the Senate, so it was no surprise that the president signed the must-pass federal budget bill to which the House of Representatives added CISA in December. And while the White House previously identified the need for...

Privacy advocates expressed dismay with this latest version of the legislation, particularly the opaque way in which a small group of lawmakers drafted the final version of the measure and then incorporated it into a colossal spending bill. "Such key legislation should not be sandwiched into the omnibus or a...

Today, House leadership released text of the 2016 "Omnibus package." The legislative package is supposed to deal exclusively with funding the federal government through 2016; however, leadership also managed to include a dangerous cybersecurity "information sharing" bill. The cybersecurity bill is a combination of three bad cybersecurity bills...

Update: The final text of CISA is being negotiated right now. Take action here.
CISA passed out of the Senate by a disappointing vote of 74-21 last week. The bill has already passed out of the House, and now it goes to a conference committee to work...

IF THE ZOMBIE HORROR GENRE teaches us anything, it is never to celebrate too soon. Beware the hubris of a character who walks from the graveyard victorious, failing to anticipate an undead hand pushing up through the soil. And so it was with defeat of the Cyber Intelligence Sharing...

Tonight’s Rumble discusses Paul Ryan becoming the next speaker, John Kasich’s lashing out at his rival candidates, and whether Trump is done. Thom talks about the Senate’s passing of the Cybersecurity Information Sharing Act (CISA) with the Electronic Freedom Frontier’s Nadia Kayyali, and in tonight’s Daily Take Thom discusses the...